Fake e-mails fool users 28 percent of the time, study finds

Below:

Next story in Security

Confused by what's arriving in your inbox? You're not alone. Nearly one out of three Internet users was unable to tell the difference between fraudulent e-mails designed to steal their identities and legitimate corporate e-mail, a new study finds.

Anti-spam firm MailFrontier Inc. showed 1,000 consumers examples of so-called "phishing" e-mail as well as legitimate e-mail from companies such as eBay and PayPal. About 28 percent of the time, the consumers incorrectly identified the phishing messages as legitimate.

What's more, the legitimate e-mails were often dismissed as potential fraud. An e-mail message from the Federal Trade Commission was dismissed as a fraud by 50 percent of the consumers.

"We knew we'd fool a few people, but we're pretty surprised by 28 percent," said Anne Bonaparte, CEO of MailFrontier. "A number of (the phishing e-mails used in the study) have been around for a while."

'We are losing on both ends'
One reason the look-alike e-mails continue to fool consumers: the people behind them are getting much better at their craft.

"We've definitely seen quite an improvement in grammar, for example," Bonaparte said. "Early versions wouldn't have fooled too many people. Now, they fool a number of us. We did the test here at work and some people had embarrassing results."

One very well-distributed PayPal look-alike e-mail, which claimed credit card information needed to be updated, fooled 31 percent of users surveyed, she said.

"That one was written widely about. You would not have thought that would have fooled people," she said.

Meanwhile, a simple note from PayPal indicating that a payment had been made, which asked for no personal information, was described as a fraud by 20 percent of those studied.

"We are losing on both ends right now," said Dave Jevens, chairman of the Anti-Phishing Working Group, a consortium of companies fighting the problem. He said he wasn't particularly surprised by the results of the study.

"I've seen professionals who work in the industry fall for these. As we can see from this report, it's hard to tell bad mail from good mail. ... It's undermining the ability of people to communicate."

(Think you'd do better at sniffing out the real McCoy? MailFrontier has published a "fair or phish" test similar to the one it used in its study on its Web site. )

Attacks on the rise, banks targeted
Not only are consumers unable to accurately spot fakes, they are regularly surrendering personal information. According to a study released in April by Gartner's Avivah Litan, 1.78 million Americans say they've fallen for a fake e-mail and willingly provided credit card numbers, bank account PINs, and other information to computer criminals.

Perhaps an additional 1 million users have done so and don't realize it, the study said. In all, the study concluded that about $1.2 billion has been stolen from U.S. financial institutions through phishing attacks.

A study to be released next week by the Anti-Phishing Working Group shows phishing activity is still skyrocketing -- there was a 19 percent increase in the amount of phishing attacks between May and June. There were nearly 50 new attacks per day in June, the report indicates.

The most popular target, with 492 separate phishing attacks in one month, was once again Citibank. Attacks against banks in general continued to rise in June, with US Bank-fake e-mails jumping 50 percent and FirstUSA attacks up 67 percent. Attacks against AOL and Visa declined sharply, suggesting they are less lucrative targets.

For the first time, analysts are tracking the country of origin for the attacks, and results show a number of them are hosted by computers located in Asia. About 20 percent of the Web sites devoted to stealing information are hosted in South Korea; another 16 percent are in China, and 7 percent are in Taiwan. The location doesn't suggest the criminals are located there, but simply indicates they are using computers in those countries.

"This may be due in part to a desire by phishers to host their forged sites in places where language and time zone barriers make it more difficult for brand-owning companies to shut the sites down," the report says. The technique apparently works. Phishing e-mails, and their companion data-stealing Web sites, last an average of 2.25 days, the report says.

The phishing problem continues to get national attention. First Data Corp. and the National Consumers League plan to launch a public service awareness campaign next month warning people about look-alike e-mails.

"Phishing is the fastest growing scam," said Barbara Span, vice president of market intelligence at First Data. Less than a year ago, the National Consumers League hadn't received any complaints about phishing, she said; now it's the 4th-most frequent complaint. "This problem continues to get worse, despite all the publicity it's received."

MSNBC's Bob Sullivan is the author of the upcoming book "Your Evil Twin: Behind the Identity Theft Epidemic."